<div dir="ltr">Thanks Tatsuo-san for your help on this.<div>Would be great if we have such examples covered in documentation .<br><div>I am happy to close this request for now.</div><div><br></div><div>Regards,</div><div>Rajni</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, May 23, 2020 at 1:55 PM Tatsuo Ishii <<a href="mailto:ishii@sraoss.co.jp">ishii@sraoss.co.jp</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">>> >>> Can you elaborate what is your security concern?<br>
>><br>
> That the password will be in plain text ( not encrypted ) and can be<br>
> compromised. Or I am missing something here.<br>
<br>
If you are talking about passwords flying between frontend and pgpool<br>
using enable allow_clear_text_frontend_auth, then yes. But you can use<br>
SSL to protect passwords from attacker.<br>
<br>
> But when I am trying to login via psql (using pgpool user) , it is giving<br>
> me belwo error. I tried using pool_password file ( pgpool:AESxxxxx) as<br>
> well but no luck.<br>
> # psql -p 9999-h hostname -U pgpool<br>
> psql: ERROR: unable to read message length<br>
> DETAIL: message length (23) in slot 1 does not match with slot 0(42)<br>
> ERROR: unable to read message length<br>
> DETAIL: message length (23) in slot 1 does not match with slot 0(42)<br>
<br>
> *Pgpool log:*<br>
> 2020-05-22 16:24:54: pid 11774: ERROR: unable to read message length<br>
> 2020-05-22 16:24:54: pid 11774: DETAIL: message length (23) in slot 1 does<br>
> not match with slot 0(42)<br>
> * All users who has md5 password and is has entry in pool_passwd file are<br>
> logging successfully( using psql and pgpool) but problem is with user<br>
> having SCRAM password.<br>
> <br>
> Questions:<br>
> - What am I doing wrong in above step?<br>
<br>
It seems the entry for the "pgpool" user in pg_hba.conf is different<br>
among backends.<br>
<br>
> - What are the steps , if I need to use combination of md5 and SCRAM<br>
> passwords?<br>
> - when do I need to use pool_hba?<br>
<br>
In this case (using allow_clear_text_frontend_auth) you do not need to<br>
use pool_hba.conf.<br>
<br>
> - Is it true that pool_passwd file works only for md5 passwords?<br>
<br>
No.<br>
<br>
> If yes,<br>
> then how users with SCRAM password enabled will be able to connect using<br>
> pgpool?<br>
<br>
You need to set up SCRAM password in pool_passwd.<br>
<br>
>> >>>A password in pool_passwd is used if health_check_password is an empty<br>
>> >>>string.<br>
>><br>
>> > - Some Detail msg in pgpool log that I an mot sure of ? what is server<br>
>> > here ( pgpool or postgres) - server doesn't want to talk SSL<br>
>> > 2020-05-21 19:16:20: pid 6664: DEBUG: authenticate backend: key data<br>
>> > received<br>
>> > 2020-05-21 19:16:20: pid 6664: DEBUG: authenticate backend: transaction<br>
>> > state: I<br>
>> > 2020-05-21 19:16:20: pid 6664: DEBUG: attempting to negotiate a secure<br>
>> > connection<br>
>> > 2020-05-21 19:16:20: pid 6664: DETAIL: sending client->server SSL<br>
>> request<br>
>> > 2020-05-21 19:16:20: pid 6664: DEBUG: attempting to negotiate a secure<br>
>> > connection<br>
>> > 2020-05-21 19:16:20: pid 6664: DETAIL: client->server SSL response: N<br>
>> > 2020-05-21 19:16:20: pid 6664: DEBUG: attempting to negotiate a secure<br>
>> > connection<br>
>> > 2020-05-21 19:16:20: pid 6664: DETAIL: *server doesn't want to talk SSL*<br>
>> > 2020-05-21 19:16:20: pid 6664: DEBUG: authenticate kind = 0<br>
>><br>
>> >>> "server" means PostgreSQL here.<br>
>> Thanks<br>
>><br>
> What is the meaning of this message ? server doesn't want to talk SSL<br>
<br>
PostgreSQL is not ready for accepting SSL connection from pgpool.<br>
<br>
Best regards,<br>
--<br>
Tatsuo Ishii<br>
SRA OSS, Inc. Japan<br>
English: <a href="http://www.sraoss.co.jp/index_en.php" rel="noreferrer" target="_blank">http://www.sraoss.co.jp/index_en.php</a><br>
Japanese:<a href="http://www.sraoss.co.jp" rel="noreferrer" target="_blank">http://www.sraoss.co.jp</a><br>
</blockquote></div>